U.S. Officials Tell Congress the Country Lags in Fortifying IT Security

Despite the increase in volume and sophistication of cyber-attacks, government officials testified before a U.S. House subcommittee that the country has been slow to beef up IT security.

While
cyber-attacks against U.S. computer networks are becoming more frequent and
increasingly more sophisticated, the country is lagging in its efforts to beef
up IT security, government officials testified in front of Congress.
The
Energy and Commerce Subcommittee on Oversight held hearings on cyber-security
and securing the nation's critical infrastructure on July 26. The hearings
examined the government's efforts to safeguard private-sector networks that are
considered part of the country's critical infrastructure, such as the electric
grid and nuclear power plants, against cyber-threats.

Witnesses
included Gregory Wilshusen, the director of information security issues at the
Government Accountability Office; Sean McGurk, director of the National Cyber-security
and Communications Integration Center at the Department of Homeland Security's
cyber-division; and Bobbie Stempfley, acting assistant secretary of the DHS
Office of Cyber Security and Communications.

In
his testimony Stempfley denied that the increase in the number of attacks means
that the security of U.S. government and private networks is weaker than it was
a few years ago. "I wouldn't say we're more vulnerable than five years ago, but
we are much more aware," Stempfley told lawmakers.
However,
as more industries move toward electronic information systems, such as
utilities relying on smart
meters, they are exposing themselves to cyber-attacks, according to
Stempfley.
As
attackers target a wider range of industries, victims are becoming willing to
report the incidents, McGurk said, which means the government can collaborate
more effectively with the private sector to collect information about threats
and to mitigate them.
Under
the White
House cyber-security proposal released in May, the Department of Homeland
Security would take the lead role in protecting non-military networks such as
power grids and transportation networks. Rep. Cliff Stearns, R-Fla.,
subcommittee chairman, said he will hold additional hearings to examine how
individual sectors are protected.
"We
must identify and protect the very systems that make our country run: energy,
water, health care, manufacturing and communications," Stearns said in his
opening statement.
The
United States has lagged behind on implementing necessary protections, GAO's
Wilshusen told lawmakers, noting that the administration has implemented only
two of 24 recommendations from the president's cyber-space policy review.
Progress has slow because federal agencies don't have cyber-security officials
with clearly defined roles and responsibilities, Wilshusen said. The DHS needs
to improve its analysis and warning capabilities to be able to respond to
threats, he said.
Another
example is ensuring critical
industrial systems can fend off Stuxnet. There are approximately 300
companies using the Siemens systems that the Stuxnet worm could compromise,
according to McGurk, who wasn't sure if they had implemented the recommended
security precautions to guard against Stuxnet.
The
DHS is concerned that other attackers can use "increasingly public
information" about the worm
to launch variants that would target other industrial control systems,
Stempfley said, noting that various iterations of decompiled Stuxnet code are
available online. Stuxnet took advantage of several zero-day vulnerabilities to
compromise Siemens programmable logic controllers and to cause significant
damage to Iran's nuclear enrichment program in 2010. There are reports that Iran
is still trying to eradicate the infection.
"The
threats to information systems are evolving and growing, and systems supporting
our nation's critical infrastructure are not sufficiently protected to
consistently thwart the threats," Wilshusen said.
As
cyber-threats become more frequent and sophisticated, the House subcommittee
should "play an important role" in any cyber-security legislation
that moves through the House of Representatives, Fred Upton, R-Mich., full
committee chairman, said in his opening statement. There are several
cyber-security proposals circulating in the House and Senate, and some kind of
cyber-security legislation focusing on threats to industry is expected later
this year.
Stempfley
also told the House subcommittee that the resignation
of Randy Vickers as the director of the DHS' Computer Emergency Readiness
Team on July 22 was a "personal decision."